Reply To: Capturing low impact high frequency events
Thanks for another great question brave_Michael.
You will remember on the course that I said that I don’t include risks with Minor or Insignificant consequences unless there is a cumulative effect (i.e multiple instances of the same issue could lead to higher consequences). This is an example of where this risk, despite each single occurrence being Insignificant, the cumulative effect could be catastrophic.
I like your suggestion for the consequence matrix in relation to a number of repeated events as this captures that cumulative effect. What it also does is potentially raise the consequence level. In this instance it appears that the controls (either preventative and/or detective) were ineffective which therefore raised the Likelihood to Likely/Almost certain. If we look at the cumulative effect of repeated occurrences, the consequence could easily be justified as at least Moderate, although, if left unchecked the consequences could be Major or Severe. What this would then do is raise the level of consequence so that it at least gets some attention in terms of assurance around the controls (we also covered Consequence Based Internal Audit).
The internal audit you conducted found that the consequences were Major but, if you hadn’t done that, there is every reason to think they could be Severe. And this makes sense – you are a fee for service organisation where overcharging could impact your reputation and undercharging impacts your bottom line. If it is your major/only revenue stream then what you charge for those services needs to be right.
As it stands right now I would assess this risk as Almost Certain/Major so it is likely to be a High Risk. What you need to do now, having identified that there are some issues is to strengthen the current controls or, if appropriate, implement new controls – preventative and detective. The strengthening of the preventative controls will reduce the Likelihood and the strengthening of the detective controls will reduce the Consequence (i.e. you will find it a lot earlier). This should then bring the risk down to Unlikely/Minor – which should bring it to be within your target level for financial risk. It only stays there, however, if the controls remain effective.
It is a very interesting one because, on the surface, it would appear to be a very low consequence risk, but repeated instances that then become systemic could seriously impact the bottom line of the company.
Hope that helps.